'Chicken Farmer' Bots Steal Secrets From Governments Worldwide

By Robert Lemos |
Posted 2013-08-07

An Asian espionage network consisting of more than 5,000 bots—or "chickens" in the region's parlance—has infected government agencies in the United States, Europe, Taiwan, Thailand, Malaysia and other nations, according to research presented at the Black Hat security conference by Taiwanese researchers.

While the researchers had identified more than two dozen groups operating different "chicken farms" that were responsible for nearly 50 attacks per week on each major Taiwanese agency, their presentation focused on one group of farmers called "LStudio."

The attacks, most of which are not detected by antivirus software, aim to install stealthy malware to steal sensitive government information, said Benson Wu, lead security researcher at Taiwan-based Xecure Lab, who co-presented the research at Black Hat. Known as advanced persistent threats (APTs), such espionage attacks have become a common occurrence, not only for U.S. companies and government agencies, but those in Taiwan as well, Wu said.

"Taiwan is a great place to study APT—it's like an APT playground," he said. "It's very easy to collect new samples, and everything is so new that (antivirus) has a zero detection rate."

The researchers refused to attribute the attacks to any specific actors, noting that it is fairly easy to disguise attacks from one country to make them appear to come from another. However, there was a noticeable absence from the list of victims.

"There are no IP addresses from China," says Fyodor Yarochkin, a security researcher at Academia Sinica/Taiwan, who co-presented the research at Black Hat.

Cyber-espionage has become the crowd-sourced Cold War of the modern era. While many western countries, such as the United States, have adopted espionage on the Internet as a way to gather information a wide variety of information on other countries, many developing nations have focused on stealing economic secrets from the United States and Europe.

China is the most aggressive of the current crop of espionage actors, but information-gathering attacks have been attributed circumstantially to the United States, Russia, India and Israel. More damaging attacks—such as the sabotage of Iran's nuclear processing capability by the Stuxnet program—have been allegedly carried out by the United States, Israel, Iran and North Korea.

"APT malware only accounts for a very tiny percentage of legitimate traffic, but they are like lethal weapons," Wu said. "Once you have it, you have these lethal malware inside your organization."

In the case of LStudio, the attackers appear to be intent on gathering information using a variety of espionage tools that connect to different backend systems. The researchers were able to gather information on the data centers and the consoles that were used by the attackers.

An interesting component of the system is that it posted messages to a social network as a way to pass information from the compromised systems to the farmers who managed those "chickens." Messages, such as "Carol: Aaron win the competion (sic) award like ZWEknbws, well known for the series of F512," identify the specific malware, the user and passes other information.

In addition, the attackers would give each campaign a label that, in many cases, named the target, allowing the attackers to discover that some attacks were directed at the Ministry of Energy, while others focused on the largest media companies in Taiwan.